[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: Dereferencing Namespace URIs considered harmful

  • From: Uche Ogbuji <uche.ogbuji@f...>
  • To: John Wilson <tug@w...>
  • Date: Mon, 01 Jan 2001 09:17:58 -0700 (MST)

Re: Dereferencing Namespace URIs considered harmful
> It would be worthwhile taking a little time to consider the possible
> security impact of encouraging XML processing software to dereference
> Namespace URIs as a matter of course.
>
> Performing an HTTP GET on an arbitrary URL is not an innocuous action. Most
> web servers have well known vulnerabilities to various forms of malformed
> URL. In addition the logs kept by web servers can be and are used to track
> the progress of HTML formatted email messages - this could easily be
> extended to track the progress of XML documents (e.g. SOAP messages, XML
> based EDI documents) providing an attacker with valuable information on the
> business infrastructure behind the firewall.

Thanks for mentioning this, which is a very important issue for all of us
writing network software to keep in mind.

However, I hardly think there is anything special about dereferencing
namespace URIs that causes any particular concern.  Internet
infrastructure revolves around accessing and opening up resources from
untrusted parties.  Without this, CERT would be a lot less busy, but the
Internet would be precisely nowhere.  There is little one can do to make
the Internet more valuable without also making it more dangerous.

Programmers need to be aware of possible denial-of-service attacks, remote
exploits, etc.  As for web bugs, I don't think there's much to be done.
These can already be insinuated through entity references in current XML
documents.  This may be a problem for thse obsessed about privacy.  As for
the idea that hackers can map out a firewall-protected network using such
web bugs, I'm no security expert, but I'm suspicious that this is possible
without some other concomitant security failure of the system.  After all,
in a bastion host system, all the nefarious HTTP loggers will see is the
public firewall address.


-- 
Uche Ogbuji                               Principal Consultant
uche.ogbuji@f...               +1 303 583 9900 x 101
Fourthought, Inc.                         http://Fourthought.com
4735 East Walnut St, Ste. C, Boulder, CO 80301-2537, USA
Software-engineering, knowledge-management, XML, CORBA, Linux, Python


PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.